Wireless Access

I basically have two radius server configured for a particular server-group.  Termination not enabled.

Problem is, particular handheld devices only are successful if they use the backup server.  Every other devices is fine against the primary radius.

And yes, I know the server guys need to fix it, but I'm trying to see what my options are.

Thanks

Do you have "fail through" ticked off?  If yes,this will send the auth to the second server IF the primary server sends a reject message.

but that is only if termination is enable on the controller?  Is that right

According to the user guide, yes.  Have you looked at the following:

The controller can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request.

For example, an authentication request can include client or user information in one of the following formats:

l <domain>\<user>—forexample,corpnet.com\darwin

l <user>@<domain>—forexample,darwin@corpnet.com

l host/<pc-name>.<domain>—forexample,host/darwin-g.finance.corpnet.com(thisformatisusedwith802.1x machine authentication in Windows environments)

When you configure a server in a server group, you can optionally associate the server with one or more match rules. A match rule for a server can be one of the following:

l Theserverisselectediftheclient/userinformationcontainsaspecifiedstring.

l Theserverisselectediftheclient/userinformationbeginswithaspecifiedstring.

l Theserverisselectediftheclient/userinformationexactlymatchesaspecifiedstring.

Trying to do that, but doesn't seem to work.  Here is the server-group

but here is the auth-tracebuf

Sep 25 14:52:30  eap-id-req            <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               1   5
Sep 25 14:52:30  eap-id-resp           ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               1   25   <user>@CORP
Sep 25 14:52:30  rad-req               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               18  262
Sep 25 14:52:30  rad-resp              <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  18  90
Sep 25 14:52:30  eap-req               <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   6
Sep 25 14:52:30  eap-nak               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   6
Sep 25 14:52:30  rad-req               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  27  281
Sep 25 14:52:30  rad-reject            <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  27  56
Sep 25 14:52:30  eap-failure           <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   4    server rejected

To me, that shows it not working.  I tried with the match-authstring as well with the username, but it didn't choose the second server.

:smileysad:

I had a look at this with TAC and it just doesn't seem to work as it should, and is looking like a bug.  AOS 6.2.1.3.

In spite of this I was wondering what happens in the example above if the first server becomes unavailable?  If there is only one server available are the match rules ignored then and all clients just use that as normal?